packages/rootsh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

rootsh: Package init

Browse Source 
Signed-off-by: Grooooot <isula@huawei.com>
This commit is contained in:
Grooooot 2020-02-19 10:44:49 +08:00
parent 2601c46004
commit 26e362598a
7 changed files with 307 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

120
README Normal file
View File

@ -0,0 +1,120 @@
Introduction:
=============
rootsh is a wrapper for a shell which will make a copy of everything printed
on your terminal. Its main purpose is to give ordinary users a shell with
root privileges while keeping an eye on what they type. This is accomplished
by allowing them to execute rootsh via the sudo command. Unlike a simple
"sudo -s" which is the usual way doing this, "sudo rootsh" will send their
terminal keystrokes and output to a logfile and eventually to a remote
syslog server, where they are out of reach and safe from manipulation.
Motivation:
===========
Sometimes users need to perform tasks on a system which are too complex
to be expressed in sudo rules. Sometimes there is management pressure
to give a user a root shell. Sometimes you're just tired arguing with
users who insist in having root privileges.
With rootsh you can give your users access to a root shell while auditing
their actions.
Usage:
======
rootsh will be mainly used to give normal users the privilege of a
shell running under uid 0. This will mostly be accomplished by calling
it via the sudo command.
If, for example you have to grant user usr1234 local root privileges
on his workstation ws0001, you make an entry in your /etc/sudoers like this:
usr1234 ws0001 = /bin/rootsh
He will then have to type the following to become root:
usr1234@ws0001:~> sudo rootsh
Password:
ws0001:~ # id
uid=0(root) gid=0(root) groups=0(root)
ws0001:~ #
ws0001:~ # exit
exit
usr1234@ws0001:~>
If you compiled rootsh with the default settings, the keystrokes and output
will be sent line by line to the syslog daemon using priority local5.info
To collect the output coming from running rootsh commands in a specific file
make an entry in your /etc/syslog.conf like this:
local5.notice /var/log/rootshell
or maybe like this:
local5.notice @your_central_syslog_host
Wherever you send your syslog data to, the resulting output will be
like this:
Jul 2 17:44:19 ws0001 rootsh-020a: usr1234=root,/dev/pts/0: logging new rootsh session (rootsh-020a) to /var/log/rootsh/usr1234.20040702174419.020a
Jul 2 17:44:21 ws0001 rootsh-020a: 001: ws0001:~ # id
Jul 2 17:44:21 ws0001 rootsh-020a: 002: uid=0(root) gid=0(root) groups=0(root)
Jul 2 17:44:22 ws0001 rootsh-020a: 003: ws0001:~ #
Jul 2 17:46:03 ws0001 rootsh-020a: 004: ws0001:~ # exit
Jul 2 17:46:03 ws0001 rootsh-020a: 005: exit
Jul 2 17:46:03 ws0001 rootsh-020a: 006: *** rootsh session ended by user
Jul 2 17:46:03 ws0001 rootsh-020a: usr1234,/dev/pts/0: closing rootsh session (rootsh-020a)
where the rootsh-020a is an identifier created from the program's name and
a 4 digit hex number which is the pid of the rootsh process. It will prepend
every line sent to syslog and will help you to find all the entries in
a logfile belonging to a specific session.
(first find the "logging new..." line for the session you're interested in,
take the identifier like rootsh-020a in the example and grep all occurences
of it from your logfile. If rootsh is running on many machines, there
may be collisions if two rootsh processes have the same pid.
Add the hostname to grep's pattern in this case.
You will also find the same output locally on the ws0001 host in a file
called like this <caller's username>.<timestamp>.<process id>
Depending on your operating system and configuration parameter --with-logdir=
these files can be found in /var/log/rootsh, /var/adm/rootsh or your own choice.
The counter after the session identifier can help you find holes if you
are not sure wether logging was incomplete (either due to manipulation
or network problems).
Finished session's logfiles get ".closed" appended to their names. This
helps you cleaning and archiving your logdir.
If the main process thinks, the logfile was manipulated during the session,
it tries to recreate the file and ".tampered" instead of ".closed" is attached.
There is a parameter "-i", which tells rootsh to run the shell as a login shell.
You can use the parameter -u if you want to run the shell as another non-root user.
Better look at the manpage at http://people.consol.de/~lausser/rootsh/rootsh.html
How it works:
=============
rootsh works very much like the script utility. It forks and creates
a master/slave pseudo terminal pair. The slave pseudo terminal will
become the controlling terminal of the child process which will
execute a shell command. The parent process waits for input from the
user's terminal and sends it down the master pty. Every output including
the echoed input will be written to a logfile and to the syslog daemon.
Warning:
========
There may be methods to escape the auditing. The abuser might then delete
his traces oder manipulate the logfiles.
With (per default) activated syslog logging you have at least a chance
to seek out suspicious traces of misbehaviour.
MAINTAINER:
luanjianhai@huawei.com

75
logrotate-rootsh.sh Normal file
View File

@ -0,0 +1,75 @@
#!/bin/bash
DEFAULT_PATH="/var/log/rootsh/"
MaxSize=0
GSize=0
# Get Max Size in Configure File
function getmaxsize() {
size=`grep size /etc/logrotate.d/rootsh | head -1 | awk '{print $2}'`
unit=${size: -1}
case $unit in
'G' | 'g')
size=${size:0:-1}
size=$(($size*1024*1024))
;;
'M' | 'm')
size=${size:0:-1}
size=$(($size*1024))
;;
'K' | 'k')
size=${size:0:-1}
;;
[[:digit:]])
;;
*)
size=102400
;;
esac
MaxSize=$size
}
function getsize() {
GSize=`du -d 1 $1 | awk '{print $1}'`
}
function logrotate_dir() {
path=$1
size=$2
getsize ${DEFAULT_PATH}
while [ $GSize -gt $size ]; do
file=`ls -ltr ${DEFAULT_PATH} | awk '{if(NR>1){print $9}}' | head -1`
# Do not delete the whole directory
if [ -n "$file" -a $file != "logrotate" ]; then
rm -rf ${DEFAULT_PATH}/$file
else
break
fi
getsize ${DEFAULT_PATH}
done
}
function lastaction() {
# Get Max Size in Configure File
getmaxsize
# Rotate /var/log/rootsh/*
logrotate_dir ${DEFAULT_PATH} $MaxSize
# Move rotated file to the monitor file
if [ -f "/var/log/rootsh/logrotate.1" ]; then
rm -f /var/log/rootsh/logrotate.1
fi
}
if [ $# -eq 1 ]; then
if [ $1 == "lastaction" ]; then
lastaction
fi
fi

12
rootsh-1.5.3-open-needs-3-args.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up rootsh-1.5.3/src/rootsh.c.BAD rootsh-1.5.3/src/rootsh.c
--- rootsh-1.5.3/src/rootsh.c.BAD 2008-05-14 16:38:30.000000000 -0400
+++ rootsh-1.5.3/src/rootsh.c 2008-05-14 16:38:37.000000000 -0400
@@ -680,7 +680,7 @@ int beginlogging(void) {
// Open the logfile
*/
if ((logFile = open(logFileName, O_RDWR|O_CREAT|O_SYNC|O_CREAT|O_APPEND|
- S_IRUSR|S_IWUSR)) == -1) {
+ S_IRUSR|S_IWUSR, 0777)) == -1) {
perror(logFileName);
return(0);
}

BIN
rootsh-1.5.3.tar.gz Normal file
View File

Binary file not shown.

13
rootsh-1.5.3_change_permissions.patch Normal file
View File

@ -0,0 +1,13 @@
diff -Nur rootsh-1.5.3.orig/src/rootsh.c rootsh-1.5.3/src/rootsh.c
--- rootsh-1.5.3.orig/src/rootsh.c 2017-11-11 19:18:16.638430603 +0800
+++ rootsh-1.5.3/src/rootsh.c 2017-11-11 19:19:24.547425868 +0800
@@ -680,7 +680,7 @@
// Open the logfile
*/
if ((logFile = open(logFileName, O_RDWR|O_CREAT|O_SYNC|O_CREAT|O_APPEND|
- S_IRUSR|S_IWUSR, 0777)) == -1) {
+ S_IRUSR|S_IWUSR, 0666)) == -1) {
perror(logFileName);
return(0);
}

12
rootsh.logrotate Normal file
View File

@ -0,0 +1,12 @@
/var/log/rootsh/logrotate
{
size 100M
daily
missingok
nocompress
lastaction
/bin/logrotate-rootsh.sh lastaction
endscript
create 0600 root root
}

75
rootsh.spec Normal file
View File

@ -0,0 +1,75 @@
Name: rootsh
Summary: Shell wrapper for auditing
Version: 1.5.3
Release: 15
License: GPLv3+
Source0: http://download.sourceforge.net/rootsh/%{name}-%{version}.tar.gz
Source1: rootsh.logrotate
Source2: logrotate-rootsh.sh
Patch0: rootsh-1.5.3-open-needs-3-args.patch
Patch1: rootsh-1.5.3_change_permissions.patch
URL: http://sourceforge.net/projects/rootsh
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%description
Rootsh is a wrapper for shells which logs all echoed keystrokes and
terminal output to a file and/or to syslog. Its main purpose is the
auditing of users who need a shell with root privileges. They start
rootsh through the sudo mechanism.
%package_help
%prep
%autosetup -n %{name}-%{version} -p1
%build
%configure
%make_build
%install
rm -rf $RPM_BUILD_ROOT
%make_install
mkdir -p $RPM_BUILD_ROOT/var/log/rootsh
touch $RPM_BUILD_ROOT/var/log/rootsh/logrotate
# Logrotate script
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d
install -m 644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/rootsh
install -m 500 %{SOURCE2} $RPM_BUILD_ROOT%{_bindir}/logrotate-rootsh.sh
%clean
rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root)
%doc README AUTHORS ChangeLog THANKS INSTALL COPYING
%{_bindir}/rootsh
%attr(500,root,root) %{_bindir}/logrotate-rootsh.sh
%config(noreplace) %{_sysconfdir}/logrotate.d/rootsh
/var/log/rootsh/
%files help
%{_mandir}/man1/rootsh.1.gz
%changelog
* Wed Feb 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.5.3-15
- Package init
* Wed Nov 29 2017 Jianhai Luan <luanjianhai@huawei.com> - 1.5.3-15.h6
- Do not delete /var/log/rootsh/ and /varlog/rootsh/logrotate
* Fri Nov 24 2017 Jiahai Luan <luanjianhai@huawei.com> - 1.5.3-14.h5
- Modify the attribute of /bin/logrotate-rootsh.sh to 500
* Fri Nov 24 2017 Jiahai Luan <luanjianhai@huawei.com> - 1.5.3-14.h4
- Rotate /var/log/rootsh/* and limit the size of directory
* Fri Nov 24 2017 Jiahai Luan <luanjianhai@huawei.com> - 1.5.3-14.h3
- Add rootsh.back to avoid endless loop compress in logrotate
* Fri Nov 24 2017 Jiahai Luan <luanjianhai@huawei.com> - 1.5.3-14.h2
- Change rootsh log to meet the security code of Huawei
* Thu Nov 2 2017 Jianhai Luan <luanjianhai@huawei.com> - 1.5.3-14.h1
- Add the logrotate configure file to limit log size